


How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce
Technical Details
The permission processing mechanism of WordPress is mainly implemented by providing different functions for different roles. When the store administrator role is defined, it will assign the edit_users function to this role, so that They can directly manage the store's customer account. The entire permission assignment process occurs during the installation process of the plug-in. woocommerce/includes/class-wc-install.php:
//Shop manager role.add_role( 'shop_manager', // Internal name of the new role 'Shop manager', // The label for displaying array( // Capabilities ⋮ 'read_private_posts' => true, 'edit_users' => true, 'edit_posts' => true, ⋮ ));
The role permission information will be stored in the database as WordPress core settings, which means that the user role is now independent of the plugin, even if the plugin is not enabled , and will not affect related role permissions.
When an authenticated user attempts to modify other user information, the current_user_can() function is called, and then ensures that only privileged users can perform this operation. Current_user_can() function call example:
$target_user_id= $_GET['target_user_id'];if(current_user_can('edit_user',$target_user_id)) { edit_user($target_user_id);}
The verification logic of the call is as follows: This user wants to use the ID $target_user_id to modify a specific user. Does he have the permission to execute?
Under the default configuration, the edit_users function allows users with permissions (such as store administrators) to edit other users, even administrator users, and then perform operations such as password updates. For security reasons, WooCommerce needs to specify whether store administrators can edit users, so the plug-in needs to add meta permissions. Meta functions can be called by current_user_can(). The value returned by the function under the default behavior is true, but the value returned by the meta permission function can determine whether the current user can perform such an operation. The following is the abstract function code of the WooCommerce meta permission filter:
function disallow_editing_of_admins( $capability, $target_user_id ) { // If the user is an admin return false anddisallow the action if($capability == "edit_user"&& user_is_admin($target_user_id)) { return false; } else { return true; }}add_filter('map_meta_cap', 'disallow_editing_of_admins');
For example, when current_user_can('edit_user', 1) is called, the filter will determine that the ID is 1 ($target_user_id) Whether the user is an administrator, and based on the results, determine whether to allow the user to operate.
Store administrator disables plug-ins
By default, only administrators can disable plug-ins. However, this vulnerability allows store administrators to delete any writable file on the server, so we can prevent WordPress from loading the plug-in by deleting WooCommerce’s main file-woocommerce.php.
This file deletion vulnerability exists in the logging function of WooCommerce. The logs will be stored in the wp-content directory in the form of .log files. When the store administrator wants to delete a log file, he needs to submit the file name as a GET parameter. The code snippet shown below is the vulnerable part:
woocommerce/includes/admin/class-wc-admin-status.php
class WC_Admin_Status{ public static function remove_log() { ⋮ $log_handler = newWC_Log_Handler_File(); $log_handler->remove(wp_unslash($_REQUEST['handle']));}
woocommerce/includes/log-handlers/class-wc -log-handler-file.php
class WC_Log_Handler_File extends WC_Log_Handler{ public function remove($handle) { ⋮ $file = trailingslashit(WC_LOG_DIR) .$handle; ⋮unlink($file);
The problem here is that the file name ($handle) will be added to the log directory (wp-content/wc-logs/) and then passed to unlink( )function. When setting "$handle../../plugins/woocommerce-3.4.5/woocommerce.php", file wp-content/wc-logs/../../plugins/woocommerce-3.4.5/woocommerce. php will be removed, causing WooCommerce to be disabled.
The above is the detailed content of How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics



How to turn off a comment in WordPress? Specific article or page: Uncheck Allow comments under Discussion in the editor. Whole website: Uncheck "Allow comments" in "Settings" -> "Discussion". Using plug-ins: Install plug-ins such as Disable Comments to disable comments. Edit the topic file: Remove the comment form by editing the comments.php file. Custom code: Use the add_filter() function to disable comments.

WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.

How to copy WordPress code? Copy from the admin interface: Log in to the WordPress website, navigate to the destination, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code. Copy from a file: Connect to the server using SSH or FTP, navigate to the theme or plug-in file, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code.

You can install the FTP plug-in through WordPress, configure the FTP connection, and then upload the source code using the file manager. The steps include: installing the FTP plug-in, configuring the connection, browsing the upload location, uploading files, and checking that the upload is successful.

Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to

The steps to create a custom header in WordPress are as follows: Edit the theme file "header.php". Add your website name and description. Create a navigation menu. Add a search bar. Save changes and view your custom header.

How to copy WordPress subsites? Steps: Create a sub-site in the main site. Cloning the sub-site in the main site. Import the clone into the target location. Update the domain name (optional). Separate plugins and themes.

Be cautious when building a WordPress website. The guide to breaking through pits helps you avoid risks: choose paid themes and avoid the quality and safety risks of free themes. "Less is more" when installing plugins to avoid website speed and compatibility issues. Regularly optimize the database to ensure the smooth operation of the website. Pay attention to security measures and regularly update and install security plug-ins. Modify the code carefully to avoid website crashes and do it in a test environment if necessary. Pay attention to performance optimization, improve website speed, and improve user experience.
